Hierarchical Rate Limiting of Control Packets

ABSTRACT

Line cards receive control packets and perform a hierarchical rate limiting on those control packets. A set of identifier keys are extracted from the control packets and the protocol of those control packets are determined. At a first level, the control packets are rate limited per unique set of identifier keys per protocol. Those packets which fail the first rate limiting level are dropped. Those packets which pass the first rate limiting level are rate limited at a second level per protocol type. Those packets which fail the second level rate limiting are dropped while those packets which pass the second level rate limiting are sent to the control card for further processing.

BACKGROUND

1. Field

Embodiments of the invention relate to the field of network processing;and more specifically, to hierarchical rate limiting of control packetsreceived on a line card of a network element.

2. Background

Network elements typically include multiple line cards that performpacket forwarding/switching at high speed under the direction of one ormore control cards. The control cards perform signaling, routing(including creation of and/or management of routing tables), connectionsetup, session setup, etc. The line cards receive data packets (whichare typically forwarded/switched at a high speed) and control packetswhich need to be processed by the control card. Control packetstypically are related to signaling, routing updates, connection setup,session setup, etc.

For example, in the case of PPPoE (Point to Point Protocol overEthernet), the line cards can receive from computing end devices PPPoEActive Discovery Request (PADR) control packets and PPPoE ActiveDiscovery Initiate (PADI) control packets. These PADR and PADI packetsmust be sent to the control card for further processing. Other examplesof control packets include DHCP (Dynamic Host Configuration Protocol)packets, CLIPS (Clientless IP Service) packets, Neighbor Discovery forIPv6, ARP (Address Resolution Protocol) packets.

Commonly, line cards employ a coarse control packet rate limitingmechanism on each of the line cards to prevent a large amount of packetsfrom being sent from the line cards to the control card. These ratelimits are typically applied per physical entity (e.g., per card, perport, etc.) or per protocol and apply to multiple subscribers orcomputer end stations. Typically, the rate limits indicate the quantityof control packets that may be sent to the line card. If over the ratelimit, the control packets are typically dropped in the line cards.

Thus, since the rate limits are typically applied per physical entity orprotocol, a single computer end station transmitting an exorbitantamount of control packets causing the rate limit to be exceeded cancause existing subscriber's control packets to be dropped or lead to newsubscriber sessions to fail since those control packets will be dropped.

SUMMARY

In one embodiment of the invention, control packets are hierarchicallyrate limited on a line card of a network element. For each receivedcontrol packet on the line card, the protocol type of that controlpacket is determined, a set of one or more identifier keys in thatcontrol packet are extracted based on the protocol type of the controlpacket (and in some instances specific control packets (e.g., PADR(PPPoE Active Discovery Request) packets and PADI (PPPoE ActiveDiscovery Initiate) packets)), and an identifier key based rate limitingis performed based on the set of extracted identifier keys and thedetermined protocol type of the control packet. Those control packetswhich do not pass the identifier key based rate limiting (e.g., thosepackets whose corresponding packet count value for that set ofidentifier keys for that protocol exceeds an identifier key based ratelimit value) are dropped. Those control packets which pass theidentifier key based rate limiting are rate limited at a protocol levelbased on the protocol type of the control packets (e.g., per protocol).Those control packets which pass the protocol level rate limiting areallowed to be directed to a control card for further processing, whilethose control packets which do not pass the protocol level rate limiting(e.g., those packets whose corresponding packet count rate limit valueper protocol exceeds a protocol level rate limit value for thatprotocol) are dropped.

In some embodiments, one or more of the set of identifier keys, theidentifier key based rate limiting value, and the protocol level ratelimit value are configurable by a system operator of the network elementallowing flexible control packet rate limiting. Thus, control packetsfrom different computer end stations (and different network interfaceswithin the computer end stations) can be rate limited separately whilean overall protocol level rate limiting for each line card ismaintained. Thus, the hierarchical control packet rate limiting protectsagainst computer end stations performing denial of service attacks bycontrolling the amount of control packets accepted for processing foreach computer end station while allowing legitimate control packettraffic to be accepted.

In one embodiment of the invention, each line card of a network elementincludes a packet parsing engine to parse control packets to determineprotocol types of the control packets and extract a set of one or moreidentifier keys in each control packet based on the determined protocoltype of the control packets. Each line card also includes multiple firstlevel execution units to perform a first level of control packet ratelimiting on received control packets per unique ones of the set ofidentifier keys and protocol type according to a number of controlpackets of each unique protocol type and set of identifier keys that areaccepted for processing over a first time interval. The first levelexecution units drop those control packets that fail the first level ofcontrol packet rate limiting (e.g., those packets whose correspondingpacket count value for the set of identifier keys and protocol exceed anidentifier key based rate limit value). Each line card also includes aset of one or more second level execution units to perform a secondlevel of control packet rate limiting on those packets that pass thefirst level of control packet rate limiting per protocol type accordingto a number of control packets of each unique protocol type that areaccepted for processing over a second time interval. The set of secondlevel execution units drop those control packets that fail the secondlevel of control packet rate limiting (e.g., those packets whosecorresponding packet count rate limit value per protocol exceeds aprotocol level rate limit value for that protocol). Those packets whichpass the second level of control packet rate limiting are allowed to bedirected to the control card for further processing.

In one embodiment of the invention, a line card for rate limitingcontrol packets includes multiple network processing units (NPUs), eachhaving a separate memory domain and is coupled with one or more ports ofthe line card, and a central line processor. Each NPU receives packetsto process including control packets and data packets. Each NPU includesa packet parsing engine to parse control packets to determine a protocoltype of the control packets and to extract a set of one or moreidentifier keys from each control packet based on the determinedprotocol type of that control packet. Each NPU further includes multiplefirst level execution units to perform an identifier key based ratelimiting for each unique set of extracted identifier keys per protocoltype. The first level execution units will drop those control packetswhich do not pass the identifier key based rate limiting. Each NPUfurther includes a set of one or more second level execution units toperform a protocol based rate limiting on each of those control packetsthat pass the identifier key based rate limiting. The set of secondlevel execution units drops those control packets which do not pass theprotocol based rate limiting and sends those control packets which dopass to the central line processor of the line card along with currentpacket count values associated with each of those control packets (e.g.,for each control packet a identifier key control packet count value anda protocol control packet count value). The central line processoraggregates the control packets received from the multiple NPUs that havethe same set of identifier keys per protocol (e.g., for each unique setof identifier keys per protocol, the central line processor adds thepacket count values received from the NPUs), and aggregates the controlpackets received from the multiple NPUs per protocol type (e.g., foreach control packet per protocol, the central line processor adds theprotocol control packet count values received from the NPUs). Thecentral line processor performs an aggregate identifier key based ratelimiting on the control packets received from the NPUs for each uniqueset of identifier keys per protocol type according to the aggregatedpacket count value for those unique set of identifier keys per protocoltype. The central line processor drops those control packets that failthe aggregate identifier key based rate limiting. The central lineprocessor performs an aggregate protocol based rate limiting for thosecontrol packets that pass the aggregate identifier key based ratelimiting for each unique protocol type according to the aggregatedpacket count value for those unique protocol types. The central lineprocessor drops those control packets which fail the aggregate protocolbased rate limiting. Those packets which pass the aggregate protocolbased rate limiting are allowed to be directed to the control card forfurther processing.

BRIEF DESCRIPTION OF THE DRAWINGS

The invention may best be understood by referring to the followingdescription and accompanying drawings that are used to illustrateembodiments of the invention. In the drawings:

FIG. 1 illustrates an exemplary network including a network elementperforming hierarchical rate limiting of control packets according toone embodiment of the invention;

FIG. 2 illustrates an exemplary line card of a network elementillustrated in FIG. 1 according to one embodiment of the invention;

FIG. 3 is a flow diagram illustrating exemplary operations forhierarchical control packet rate limiting according to one embodiment ofthe invention;

FIG. 4 illustrates a line card with multiple network processing unitsperforming hierarchical rate limiting for control packets according toone embodiment of the invention;

FIG. 5 illustrates an exemplary line card that includes multiple networkprocessing units that performs hierarchical rate limiting for controlpackets according to one embodiment of the invention; and

FIG. 6 is a flow diagram illustrating exemplary operations forhierarchical rate limiting in line cards with multiple networkprocessing units according to one embodiment of the invention.

DETAILED DESCRIPTION

In the following description, numerous specific details are set forth.However, it is understood that embodiments of the invention may bepracticed without these specific details. In other instances, controlstructures, gate level circuits and full software instruction sequenceshave not been shown in detail in order not to obscure the invention.Those of ordinary skill in the art, with the included descriptions, willbe able to implement appropriate functionality without undueexperimentation.

References in the specification to “one embodiment,” “an embodiment,”“an example embodiment,” etc., indicate that the embodiment describedmay include a particular feature, structure, or characteristic, butevery embodiment may not necessarily include the particular feature,structure, or characteristic. Moreover, such phrases are not necessarilyreferring to the same embodiment. Further, when a particular feature,structure, or characteristic is described in connection with anembodiment, it is submitted that it is within the knowledge of oneskilled in the art to effect such feature, structure, or characteristicin connection with other embodiments whether or not explicitlydescribed.

In the following description and claims, the terms “coupled” and“connected,” along with their derivatives, may be used. It should beunderstood that these terms are not intended as synonyms for each other.“Coupled” is used to indicate that two or more elements, which may ormay not be in direct physical or electrical contact with each other,co-operate or interact with each other. “Connected” is used to indicatethe establishment of communication between two or more elements that arecoupled with each other.

The techniques shown in the figures can be implemented using code anddata stored and executed on one or more electronic devices (e.g., acomputer end station, a network element, etc.). Such electronic devicesstore and communicate (internally and/or with other electronic devicesover a network) code and data using machine-readable media, such asmachine-readable storage media (e.g., magnetic disks; optical disks;random access memory; read only memory; flash memory devices;phase-change memory) and machine-readable communication media (e.g.,electrical, optical, acoustical or other form of propagated signals—suchas carrier waves, infrared signals, digital signals, etc.). In addition,such electronic devices typically include a set of one or moreprocessors coupled to one or more other components, such as a storagedevice, one or more user input/output devices (e.g., a keyboard, atouchscreen, and/or a display), and a network connection. The couplingof the set of processors and other components is typically through oneor more busses and bridges (also termed as bus controllers). The storagedevice and signals carrying the network traffic respectively representone or more machine-readable storage media and machine-readablecommunication media. Thus, the storage device of a given electronicdevice typically stores code and/or data for execution on the set of oneor more processors of that electronic device. Of course, one or moreparts of an embodiment of the invention may be implemented usingdifferent combinations of software, firmware, and/or hardware.

As used herein, a network element (e.g., a router, switch, bridge, etc.)is a piece of networking equipment, including hardware and software,that communicatively interconnects other equipment on the network (e.g.,other network elements, computer end stations, etc.). Some networkelements are “multiple services network elements” that provide supportfor multiple networking functions (e.g., routing, bridging, switching,Layer 2 aggregation, and/or subscriber management), and/or providesupport for multiple application services (e.g., data, voice, andvideo). Subscriber computer end stations (e.g., workstations, laptops,palm tops, mobile phones, smartphones, multimedia phones, portable mediaplayers, GPS units, gaming systems, set-top boxes, etc.) accesscontent/services provided over the Internet and/or content/servicesprovided on virtual private networks (VPNs) overlaid on the Internet.The content and/or services are typically provided by one or more servercomputer end stations belonging to a service or content provider, andmay include public webpages (free content, store fronts, searchservices, etc.), private webpages (e.g., username/password accessedwebpages providing email services, etc.), corporate networks over VPNs,etc. Typically, subscriber computer end stations are coupled (e.g.,through customer premise equipment coupled to an access network (wiredor wirelessly)) to edge network elements, which are coupled (e.g.,through one or more core network elements to other edge networkelements) to the server computer end stations.

A method and apparatus for hierarchical rate limiting of control packetsis described. In one embodiment of the invention, control packets arerate limited at a first level based on a set of one or more identifierkeys included in the control packets (e.g., one or more of source MACaddress, source IP address, GIADDR (Gateway IP Address), etc.). Theidentifier key rate limiting values are configurable by a systemoperator of the network element. Those packets which do not pass theidentifier key based rate limiting are dropped. Those packets which passthe identifier key based rate limiting are queued (if the queue depthhas not been exceeded) and those packets are rate limited at a secondlevel based on the protocol of the packet. Those packets which do notpass the second level rate limiting are dropped, while those that passthe second level rate limiting are allowed to be sent to the controlcard for further processing.

In one embodiment, each line card includes multiple execution units thateach process control packets and each perform the first level ratelimiting (e.g., identifier key based rate limiting). Each line card alsoincludes a set of one or more execution units that perform the secondlevel rate limiting (e.g., protocol based rate limiting).

In one embodiment, each line card includes multiple network processingunits (NPUs) and a central line processor. Each of the NPUs includesmultiple execution units that each process control packets and eachperform the first level rate limiting (e.g., identifier key based ratelimiting), and a set of one or more execution units that perform thesecond level rate limiting (e.g., protocol based rate limiting). Thosepackets which pass the second level rate limiting are sent to thecentral line processor. The central line processor aggregates thecontrol packets and the control packet counts based on identifier keyand protocol. The central line processor performs a third level ratelimiting based on the aggregate count for the identifier keys. Thosecontrol packets which do not pass the third level rate limiting aredropped, while a fourth level rate limiting is applied to those packetsthat pass the third level rate limiting. The fourth level rate limitingis based on the aggregate packet count for the protocol. Those packetswhich pass the fourth level rate limiting are allowed to be sent to thecontrol card for further processing while those packets which do notpass the fourth level rate limiting are dropped.

FIG. 1 illustrates an exemplary network including a network elementperforming hierarchical rate limiting of control packets according toone embodiment of the invention. The network 190 includes the computerend stations 105 and 110 and the network element 100. In one embodiment,the computer end stations 105 and 110 are subscriber computer endstations of a different end user and the network element 100 is an edgenetwork element. Although not illustrated in FIG. 1, it should beunderstood that the computer end stations 105 and 110 may connect withthe network 100 through one or more other computing devices (e.g.,access devices such as a DSLAM, CMTS, etc.).

The computer end station 105 transmits packets (including data packetsand control packets) to the network element 100 and receives packetstransmitted from the network element 100 over the connection 120.Similarly, the computer end station 110 transmits packets (includingdata packets and control packets) to the network element 100 andreceives packets transmitted from the network element 100 over theconnection 115.

The network element 100 includes multiple line cards 125 coupled withthe control card 170 through the high speed mesh 160. The line cards 125receive control packets and send the control packets to the control card170 for further processing. The line cards 125 perform hierarchical ratelimiting on the control packets it receives (thus, the line cards 125throttle the number of control packets that are sent to the control card170 in multiple levels). In one embodiment, the line cards 125 performan identifier key based rate limiting at a first level and a protocollevel rate limiting at a second level.

The line cards 125 each include an identifier key based rate limitermodule 140 that performs the identifier key based rate limiting based ona set of one or more identifier keys that are associated with thecontrol packets it receives. The set of set of identifier keys can bedifferent for different protocols. The set of identifier keys for agiven control packet identify and classify that control packet. Forexample, the set of identifier keys may be associated with a subscriberof the network element 100. The set of identifier keys can includeinformation in the control packets (e.g., source MAC address,destination MAC address, GIADDR, etc.) and information associated withthe control packets that has local significance to the network element100 (e.g., a local identifier assigned to the circuit on which thepacket was received, the port on which the control packets are received,etc.). In some embodiments, the system operator may define theidentifier keys that the identifier key based rate limiting is based on.

The line cards 125 also include the protocol based rate limiter module150 to perform the protocol based rate limiting based on the protocoltype of the control packets and/or on the type of the control packets.For example, the protocol based rate limiter module 150 can perform ratelimiting for all DHCP packets received on the line card. As anotherexample, the protocol based rate limiter module 150 can perform ratelimiting for specific types of control packets such as PADR (PPPoEActive Discovery Request) packets and PADI (PPPoE Active DiscoveryInitiate) packets. In one embodiment, the protocol based rate limitermodule 150 performs the protocol based rate limiting on those packetswhich pass the identifier key based rate limiting.

The identifier key based rate limiter module 140 retrieves theidentifier key rate limits used in the identifier key based ratelimiting from the identifier key based rate limit values 145. Theprotocol based rate limiter module 150 retrieves the rate limits for theprotocols based rate limiting from the protocol level rate limit values155.

In one embodiment, the rate limit values (e.g., the protocol level ratelimit values 155 and the identifier key rate limit values 145) areconfigurable by a system operator of the network element 100. Forexample, the system operator can use the command line interface 180 ofthe control card 170 to configure the protocol level rate limit values155 and the identifier key based rate limit values 145. For example, foreach protocol type (and in some instances control packet type (e.g.,PADI or PADR)) the system operator can set the number of control packetsallowed for the identifier keys over a specified amount of time(allow-interval). In addition, the system operator can configure theamount of time of the allow-interval and can configure a drop-intervalwhich indicates the amount of time that control packets that fail willbe dropped until the next allow-interval starts. Additionally, for eachprotocol type (and in some instances control packet type) the systemoperator can set the total number of control packets allowed for thatprotocol (or control packet type) over a specified allow-interval. Inaddition, the system operator can configure the amount of time for theallow-interval and can configure the amount of time for a drop-intervalfor the protocol.

As previously described, the computer end stations 105 and 110 transmitand receive control packets over the connections 120 and 115respectively. The control packets may be for different protocols indifferent embodiments of the invention (e.g., DHCP (Dynamic HostConfiguration Protocol) control packets, PPPoE (Point to Point Protocolover Ethernet) control packets (e.g., PADR packets, PADI packets), ARP(Address Resolution Packets), Neighbor Discovery for IPv6 packets,etc.). The control packets which are allowed to be sent to the controlcard 170 will be processed by appropriate ones of the protocol module(s)175. For example, PPPoE control packets may be processed by a PPPoEmodule of the protocol module(s) 175.

In one embodiment, for PPPoE subscribers, the PADR and PADI packets arerate limited separately. While in one embodiment the identifier key usedfor PADR and PADI packets is the source MAC address included in thepackets, in other embodiments the identifier key is different (e.g.,based on the source and destination MAC address, the destination MACaddress, etc.). For ARP packets, the identifier key is the source MACaddress included in the ARP packets. For DHCP control packets, theidentifier key is the source MAC address and optionally the GIADDRincluded in the packets.

As illustrated in FIG. 1, the computer end stations 105 and 110 aretransmitting DHCP control packets over the connections 120 and 115respectively. However, it should be understood that the computer endstations 105 and 110 can transmit different control packets over theconnections 120 and 115 respectively. For purposes of explanation, theconnections 120 and 115 are terminated on the same one of the line cards125. The computer end station 105 is transmitting DHCP control packetsover the connection 120 at a rate of 100 packets over a particular timeperiod with an identifier key of MAC1. The computer end station 105 istransmitting DHCP control packets over the connection 125 at a rate of 3packets over that same time period with an identifier key of MAC2.

The identifier key based rate limiter module 140 applies an identifierkey based rate limiting on the control packets (e.g., the DHCP packetsreceived from the computer end stations 105 and 110). The identifier keybased rate limiter module 140 retrieves the rate limit values associatedwith the identifier keys from the identifier key based rate limit values145. For example, based on the protocol type of the packet (e.g., DHCP),the identifier key based rate limit values 145 indicates a number ofpackets that can be accepted over an allow interval for each differentidentifier key of that protocol type (e.g., each different source MACaddress and optionally GIADDR of the DHCP packets). As illustrated inFIG. 1, for each unique identifier key for DCHP control packets, tenDHCP control packets are allowed over the time period (e.g., the sametime period in which the computer end stations 105 and 110 aretransmitting 100 DHCP packets and 3 DHCP packets respectively). Sincethe computer end station 105 transmits 100 DHCP packets over the timeperiod, which exceeds the identifier key rate limit of 10, theidentifier key based rate limiter module 140 accepts 10 DCHP packets anddrops 90 of those DHCP packets. Since the computer end station 110transmits 3 DHCP packets over the time period, which is below theidentifier key rate limit, the identifier key based rate limiter module140 accepts all three of the DHCP packets. In one embodiment, acceptingthe control packets includes enqueuing the packets to a protocolspecific queue or in some instances, a control packet type specificqueue (e.g., a DHCP control packet queue, a PADI queue, a PADR queue,etc.).

Sometime after the control packets are rate limited based on theidentifier keys, those packets which have passed are rate limited at acard level by the card level based rate limiter module 150 based on theprotocol of the control packets or in some instances control packettype. The card level based rate limiter module 150 retrieves the cardlevel rate limits (per protocol) from the card level rate limit values155. For example, based on the protocol type of the packet (e.g., DHCP),the card level rate limit values 155 indicates a number of controlpackets of that protocol that can be admitted to the control card 170.As illustrated in FIG. 1, a total of 50 DHCP control packets can beadmitted to the control card 170 over the time period. Assuming that thecomputer end stations 105 and 110 are the only entities transmittingDHCP control packets to the line cards 125, the card level based ratelimiter module 150 admits 10 DHCP control packets with the identifierkey of MAC1 (from the computer end station 105) and admits 3 DHCPcontrol packets with the identifier key of MAC2 (from the computer endstation 110).

FIG. 2 illustrates a more detailed view of one of the line cards 125 ofthe network element 100 according to one embodiment of the invention.The packet parsing engine 210 parses control packets received at theline cards 125 to extract the data in the packet and write the packetdata into the packet buffer memory 215. Based on the data extracted, thepacket's protocol and type of control packet can be determined. Inaddition, a priority is also assigned to the control packet (e.g.,different protocols may have different priorities). The control packetis enqueued to one of the packet work queues 212 based on the priorityassigned to the control packet. The execution units 220, which eachexecute an instance of the identifier key based rate limiter module 140,cycle through the packet work queues 212 for pending packets to process.

Based on the packet's protocol, the identifier key based rate limitermodule 140 determines which one or more parameters associated with thepacket to use when generating an identifier key (e.g., source MACaddress field for PADI and PADR packets, etc.). In one embodiment, theidentifier key based rate limiting profile 260 stores a profile thatindicates which parts of the packet to use based on the protocol type orcontrol packet type of the control packet. The identifier key based ratelimiter module 140 then extracts the one or more parts of the packet toextract the one or more identifier keys. In addition, local propertiesof the packet may be used generating the identifier key (e.g., uniquelocal identifier that identifies the connection the control packetbelongs (e.g., slot/port/channel/unique-identifier), etc.).

The identifier key based rate limiter module 140 retrieves the ratelimit values associated with the key from the identifier key rate limitvalues 145. In one embodiment of the invention, all keys belonging tothe same protocol (e.g., DHCP) or control packet type (e.g., PADI orPADR) have the same rate limit value, while in other embodiments eachunique key can be associated with a different rate limit value.

In one embodiment, the identifier key based rate limiter module 140applies a hash function to the set of one or more extracted identifierkeys to generate a key to index into the identifier key throttlingbucket 225 to retrieve a number of parameters relating to identifier keythrottling. In one embodiment, the identifier key throttling bucket 225is a hash table that is indexed by the generated key and includes anumber of parameters relating to the throttling (e.g., source MACaddress of the packet, number of packets already admitted (during thetime period), a timestamp of the last packet, and a set of attributes toallow locking/synchronization of these parameters for multiple packetswith the same key). The number of packets already admitted during thetime period for that identifier key is compared with the rate limitvalue for that key. If the rate limit value is exceeded, or admission ofthe packet would cause the value to be exceeded, the identifier keybased rate limiter module 140 drops that control packet.

However, if the rate limit value is not exceeded, then the identifierkey based rate limiter module 140 enqueues the control packet into oneof the protocol based queues 245 based on the protocol or control packettype (e.g., a separate queue for DHCP control packets, ARP controlpackets, PADI packets, PADR packets, and Neighbor Discovery for IPv6packets). The identifier key based rate limiter module 140 also adds thecontrol packet to the identifier key throttling bucket (e.g., updatesthe number of packets admitted, updates the timestamp, etc.).

In one embodiment, the identifier key based rate limiting module 240does not enqueue control packets to the protocol based queues 245 if thedepth of those queues (the number of packets currently enqueued) isgreater than a threshold. Each of the protocol based queues can have adifferent depth threshold.

The execution unit 230 performs a second level rate limiting (a protocolbased rate limiting) based on the protocol of the control packet or thetype of control packet. The protocol based rate limiter module 150retrieves the rate limit values associated with the protocol or type ofcontrol packet from the protocol level rate limit values 155. Differentprotocols or different types of control packet can have differentprotocol level rate limit values.

The protocol based rate limiter module 150 accesses the protocol levelthrottling bucket 255 based on the protocol or control packet type ofthe control packet. The protocol level throttling bucket includes anumber of parameters related to the protocol level rate limiting (e.g.,number of packets admitted (during the time period), a timestamp of thelast packet, etc.). The number of packets admitted during the timeperiod for that protocol or control packet type is compared with therate limit value for that protocol or control packet type respectively.The protocol based rate limiter 150 drops those packets (e.g., removesthose packets from the protocol based queues 245) whose number ofpackets admitted currently exceed the rate limit value. For thosepackets which pass the protocol level rate limiting, the protocol basedrate limiter 150 updates the protocol level throttling bucket 255 anddirects those packets to the control card for further processing.

In some embodiments, the execution unit 230 works in the background andperforms work in addition to the protocol level rate limiting. Forexample, as illustrated in FIG. 2, the execution unit 230 also executesan ager module 250 to remove and manage stale entries from theidentifier key throttling bucket 225 and optionally the protocol levelthrottling bucket 255. In one embodiment, the ager module 250 istriggered to execute based on expiration of an ager timer. Additionally,as illustrated in FIG. 2, the execution unit 230 executes the identifierkey based rate limiting module 240 which is similar to the identifierkey based rate limiter module 140 executed by the execution units 220.

Since there are multiple execution units 220, there is a chance thatmultiple execution units can attempt to perform identifier key basedrate limiting on the same key at approximately the same time which canlead to an execution unit using stale information when determiningwhether to accept a packet. In one embodiment, when one of the executionunits 220 begins the identifier key based rate limiting for anidentifier key, that execution unit sets a flag to indicate to the otherexecution units that it is currently performing identifier key basedrate limiting on that identifier key. If a different one of theexecution units 220 receives a control packet with that identifier keywhile the flag is set, the execution unit 220 does not performidentifier key based rate limiting and notifies the execution unit 230that the identifier key based rate limiting has not been performed. Inone embodiment, that different one of the execution units 220 enqueuesthat control packet into the appropriate one of the protocol basedqueues 245. Sometime after receiving such an indication, the identifierkey based rate limiting module 240 of the execution unit 230 performsthe identifier key based rate limiting in a similar way as describedabove.

In one embodiment, the execution unit 230 may periodically execute theidentifier key based rate limiting module 240 to validate theperformance of the execution units 220 and may determine to drop apacket accepted by the execution units 220.

FIG. 3 is a flow diagram illustrating exemplary operations forhierarchical control packet rate limiting according to one embodiment ofthe invention. The operations of FIG. 3 will be described with referenceto the exemplary embodiment of FIG. 2. However, it should be understoodthat the operations of FIG. 3 can be performed by embodiments of theinvention other than those discussed with reference to FIG. 2, and theembodiments discussed with reference to FIG. 2 can perform operationsdifferent than those discussed with reference to FIG. 3.

At block 310, one of the line cards 125 receives a control packet. Flowmoves to block 315, where the packet parsing engine 210 on that linecard parses the received control packet and writes packet data into thepacket buffer memory 215. Flow then moves to block 320, where the packetis enqueued into one of multiple packet work queues 212 based onpriority of the packet. Flow moves from block 320 to block 325.

At block 325, one of the execution units 220 selects the control packetfrom the packet work queues 212 to begin processing. Flow next moves toblock 330 where the protocol is determined based on information in thepacket buffer memory. If the protocol includes multiple types of controlpackets that are separately rate limited (e.g., PADI and PADR packets),the type of control packet is also determined. In one embodiment, aprotocol identifier is associated with the control packet thatidentifies the protocol type of the packet and/or the control packettype.

Flow then moves to block 335 where the identifier key based rate limitermodule 140 determines the set of one or more key identifiers included inthe packet to extract based on the protocol or type of control packet ofthe packet and extracts those identifiers. For example, if the controlpacket is a DHCP packet, then the source MAC address and optionally theGIADDR is extracted from that packet. As another example, if the controlpacket is a PADI or PADR packet, then the source MAC address isextracted from that packet. Of course, it should be understood that thesystem operator may configure different identifier keys to be used forthe control packets. Flow moves from block 335 to block 340.

At block 340, the identifier key based rate limiting module 340 appliesa hash function to the extracted key identifiers to generate a key indexto index into the identifier key throttling bucket 225. Flow moves fromblock 340 to block 345. At block 345, the identifier key based ratelimiting module 340 accesses the identifier key throttling bucket usingthe generated key index and retrieves the rate counters associated withthat key index including the number of packets associated with that keythat have been accepted in the current time interval. In addition, theidentifier key based rate limiting module 140 accesses the identifierkey rate limit values 145 and retrieves the key identifier rate limitthreshold value for the identifier key. Flow moves from block 345 toblock 355.

At block 355, the identifier key based rate limiter module 140determines whether the addition of the control packet to the value ofthe rate counters associated with the key index exceeds the keyidentifier rate limit threshold value. If the key identifier rate limitthreshold value would be exceeded, then flow moves to block 360 wherethe packet is dropped. Otherwise flow moves to block 365, where the keyis enqueued into the appropriate one of the protocol based queues 245.

In one embodiment, prior to enqueuing the packet into one of theprotocol based queues 245, the identifier key based rate limiter module140 checks the queue depth of that queue. If the addition of the packetwould cause the queue depth to exceed a queue depth threshold, then theidentifier key based rate limiter module 140 will drop the packet.

Flow moves from block 365 to block 370. At block 370, the protocol basedrate limiter module 150 accesses the protocol level rate limit values155 and retrieves the protocol level rate limit value for the protocoltype of the packet or the control packet type. In addition, the protocolbased rate limiter module 150 accesses the protocol level throttlingbucket 255 and retrieves the rate counters associated with the protocolor type of control packet. Flow moves from block 370 to block 375.

At block 375, the protocol based rate limiter module 150 determineswhether the addition of the control packet to the value of the protocollevel rate counter exceeds the card level rate limit value associatedwith the protocol type or the control packet type. If the protocol levelrate limit is exceeded, then flow moves to block 380 where the packet isdropped. Otherwise, flow moves to block 385 where the protocol basedrate limiter module 150 directs the packet to the control card. Inaddition, the protocol based rate limiter module 150 updates theprotocol level throttling bucket 255 to reflect the packet being sent tothe control card.

Thus, the control packets can be rate limited in a hierarchical way toprovide a granular and flexible control packet rate limiting. In someembodiments, the system operators can configure the granularity of therate limiting and the key(s) used to identify the control packets. Inaddition, in some embodiments, the control packets can be rate limitedbased on protocol (e.g., DHCP) and/or based on specific types of controlpackets (e.g., PADR and PADI packets). Since the rate limiting isflexible and can be performed at different levels including a controlpacket identification level and a protocol level, the control packetsfrom different computer end stations (and different network interfaceswithin a computing end station) can be rate limited separately while anoverall protocol control packet rate limiting for each line card ismaintained. Thus, the hierarchical control packet rate limiting protectsagainst computer end stations performing denial of service attacks bytransmitting large amounts of control packets to the network elementwhile allowing legitimate control packet traffic to be accepted.

In some embodiments, the line cards in the network element includemultiple network processing units (NPUs) which each can separatelyperform identifier key based rate limiting and protocol based ratelimiting. FIG. 4 illustrates line cards with multiple network processingunits performing hierarchical rate limiting for control packetsaccording to one embodiment of the invention.

As illustrated in FIG. 4, each of the line cards 460 includes the NPUs405A and 405B. It should be understood that the number of NPUs isexemplary, as line cards may include a different number of NPUs inembodiments of the invention. The NPUs 405A and 405B are coupled withthe central line processor 410. In one embodiment, the NPUs 405A and405B are associated with different ports of the line card. The NPUs 405Aand 405B each receive control packets and perform identifier key ratelimiting and protocol based limiting separately. Thus, the NPUs405A-405B do not share a memory domain and are not independently awareof what the other processes. Thus, it is possible that different NPUscan be processing control packets for the same protocol and identifierkey at substantially the same time. As illustrated in FIG. 4, the NPU405A performs the identifier key rate limiting 415, 420, and 425 for thesame protocol (e.g., DHCP) with an identifier key of MAC1, MAC2, andMAC3 respectively. The NPU 405B performs the identifier key based ratelimiting 430 and 435 for that same protocol (e.g., DHCP) with anidentifier key of MAC4, and MAC1 respectively. Thus, the NPU 405Aperforms the identifier key based rate limiting 415 for a DHCP packetwith an identifier key of MAC1 and the NPU 405B performs the identifierkey based rate limiting 435 for a DHCP packet with the same identifierkey of MAC1.

The NPU 405A then applies the protocol based rate limiting 440 to thosepackets which pass the identifier key based rate limiting 415, 420, and425. As illustrated in FIG. 4, the DHCP packet with an identifier ofMAC1 has passed the identifier key based rate limiting 415 and the DHCPpacket with an identifier of MAC3 has passed the identifier key basedrate limiting 425. The DHCP packet with an identifier of MAC2 did notpass the identifier key based rate limiting 420. Similarly, the NPU 405Bapplies the protocol based rate limiting 445 to those packets which passthe identifier key based rate limiting 430 and 435. As illustrated, theDHCP packets with identifiers MAC4 and MAC1 have passed the identifierkey based rate limiting 430 and 435 respectively.

The NPU 405A sends those packets which pass the protocol based ratelimiting 440 to the central line processor 410 for further processing.As illustrated, the DHCP packets with identifiers MAC1 and MAC3 pass theprotocol based rate limiting 440 and are sent to the central lineprocessor 410 for further processing. Similarly, the NPU 405B sendsthose packets which pass the protocol based rate limiting 445 to thecentral line processor 410 for further processing. The NPUs 405A and405B also send the protocol identifier with the packets along with thecurrent rate counters (identifier key rate counters and protocol ratecounters). As illustrated, the DHCP packet with an identifier of MAC1has passed the protocol based rate limiting 445 yet the DHCP packet withan identifier of MAC4 did not pass and is not sent to the central lineprocessor 410.

The central line processor 410 aggregates those packets from the sameprotocol and identifier key for those packets its receives from the NPUs405A and 405B. For example, the central line processor 410 adds thevalues of the identifier key rate counters for the same identifier keyand protocol received from the NPUs 405A and 405B. Similarly, thecentral line processor 410 adds the values of the protocol rate countersfor the control packets that have the same protocol identifier receivedfrom the NPUs 405A and 405B. By way of example, the central lineprocessor 410 aggregates the identifier key rate counters for the DHCPpackets with the identifier of MAC1 received from the NPUs 405A and405B. Based on the aggregate value of the identifier key rate counters,the identifier key based limiting 450 is performed. Those packets whichpass the identifier key based limiting 450 are then rate limited by theprotocol limiting 455, which is based on the aggregate value of theprotocol rate counters. Those packets which pass the protocol limiting455 are then allowed to be sent to the control card for furtherprocessing.

In one embodiment, each of the NPUs performs similar operations asdescribed with reference to FIGS. 2 and 3 with the exception thatinstead of sending those control packets which pass the hierarchicalrate limiting to the control card, those control packets are sent to thecentral line processor for further aggregation and rate limiting. Insuch an embodiment, each of the NPUs includes multiple execution unitsto perform the identifier key based rate limiting and a set of one ormore execution units to perform the protocol based rate limiting. Forexample, FIG. 5 illustrates a more detailed view of one of the linecards that includes multiple network processing units that performshierarchical rate limiting according to one embodiment of the invention.As illustrated in FIG. 5, the NPU 405A and 405B respectively include theidentifier key based rate limiter module 540A and 540B and the protocolbased rate limiter module 550A and 550B. Although not illustrated forthe sake of brevity, it should be understood that for each of the NPUs405A and 405B, multiple execution units execute an instance of theidentifier key based rate limiter modules 540A and 540B and a set of oneor more execution units executes the protocol based rate limitingmodules 550A and 550B. In one embodiment, the identifier key basedlimiter modules 540A and 540B perform similarly to the identifier keybased limiter module 140 illustrated in FIG. 1, and the protocol basedrate limiter modules 550A and 550B perform similarly to the card levelbased limiter module 150 with the exception that the packets which passthe protocol based rate limiting are sent to the central line processor410 instead of being allowed to be sent to the control card.

Those packets which pass the protocol based rate limiting from each ofthe NPUs 405A and 405B are sent to the central line processor 410 alongwith a protocol identifier and the associated packet counters (e.g., thecurrent identifier key packet count value and the current protocolpacket count value). The central line processor 410 aggregates thecontrol packets received from the different NPUs 405A and 405B based onidentifier key and protocol and applies an aggregate identifier keybased rate limiting and an aggregate protocol based rate limiting tothose control packets. For example, the aggregator module 530 aggregatesthe identifier key packet count values for each different identifier keyof the control packets it receives, and aggregates the protocol packetcount values for the control packets it receives. The aggregator module530 updates the identifier key rate counters 570 and the protocol ratecounters 580 as appropriate (e.g., with an updated packet count).

Sometime after a packet is aggregated with the other like packets, theaggregate identifier key based rate limiter module 560 accesses theidentifier key rate limit values 570 and retrieves the rate limit valueassociated with the identifier key of that packet. The retrieved ratelimit value is compared with the aggregated packet count for thatidentifier key. Those packets whose aggregate packet count value isgreater than its associated rate limit value are dropped. Those packetswhich pass the aggregate identifier key based rate limiting are thenrate limited based on their protocol or control packet type.

The aggregate protocol level based rate limiter 565 accesses theprotocol rate limit values 585 and retrieves the rate limit valueassociated with the protocol or control packet type of the controlpacket. The retrieved rate limit value is compared with the aggregatedpacket count for that protocol or control packet type. Those packetswhose aggregate packet count value exceeds its associated rate limitvalue are dropped. Those packets which pass the aggregate protocol basedrate limiting are then allowed to be sent to the control card forfurther processing.

FIG. 6 is a flow diagram illustrating exemplary operations forhierarchical rate limiting in line cards with multiple networkprocessing units according to one embodiment of the invention. Theoperations of FIG. 6 will be described with reference to the exemplaryembodiment of FIG. 5. However, it should be understood that theoperations of FIG. 6 can be performed by embodiments of the inventionother than those discussed with reference to FIG. 5, and the embodimentsdiscussed with reference to FIG. 5 can perform operations different thanthose discussed with reference to FIG. 6.

As illustrated in FIG. 6, the flow of operations begins at the block 375as described with reference to FIG. 3. According to one embodiment, theoperations described with reference to FIG. 3 (e.g., the operationsdescribed in reference to blocks 310-370) is performed by one of theNPUs 405A and 405B. For example, at block 310, one of the NPUs 405A and405B receives a control packet. For purposes of explanation, theoperations described in reference to FIG. 6 assume that the NPU 405A hasreceived a control packet.

At block 375, the protocol based rate limiting module 550A determineswhether the addition of the control packet to the value of the protocolbased rate counter exceeds the protocol based rate limit associated withthe protocol type or the control packet type of the received packet. Ifthe protocol rate limit value is exceeded, then flow moves to block 380where the packet is dropped, otherwise flow moves to block 610.

At block 610, the NPU 405A sends the control packet to the central lineprocessor 410 along with the key identifier of the control packet, theprotocol identifier of the control packet, and the current packet countvalues associated with the control packet (e.g., the current keyidentifier packet count values and the current protocol packet countvalues). Flow moves from block 610 to block 615.

At block 615, the central line processor 410 aggregates the packet countvalues associated with the received control packet. For example, theaggregator module 530 aggregates the packet count values associated withthe received control packet by adding those values to the values storedin the identifier key rate counters 570 and the protocol rate counters580. The aggregator module 530 may also update a timestamp of the packetin the identifier key rate counters 570 and the protocol rate counters580. Of course, it should be understood that if the received controlpacket is the first packet received with the identifier key or protocol,the aggregator module 530 can create entries for the packet in theidentifier key rate counters 570 and the protocol rate counters 580.

Flow moves from block 615 to block 620, where the aggregate identifierkey based rate limiter module 560 accesses the identifier key rate limitvalues 575 and retrieves the identifier key rate limit value associatedwith the identifier key of the packet. Also, the aggregate identifierkey based rate limiter module 560 accesses the identifier key ratecounters 570 and retrieves the number of packets admitted over the timeperiod with that identifier key. Flow moves from block 620 to block 625,where the aggregate identifier key based rate limiter module 560determines whether the aggregated packet count value exceeds theidentifier key base rate limit. If the count exceeds the rate limit,then flow moves to block 630 where the packet is dropped, otherwise flowmoves to block 635 where a protocol based rate limiting begins.

At block 635, the aggregate protocol based rate limiter module 565accesses the protocol rate limit values 585 and retrieves the protocolrate limit value associated with the control packet (e.g., based on theprotocol identifier transmitted with the control packet). In addition,the aggregate protocol based rate limiter module 565 accesses theprotocol rate counters 580 and retrieves the number of packets admittedhaving the protocol identifier of the control packet. Flow moves fromblock 635 to block 640, where the aggregate protocol based rate limitermodule 565 determines whether the aggregated packet count value for theprotocol identifier exceeds the protocol rate limit value for thatprotocol identifier. If the count exceeds the rate limit, then flowmoves to block 630 where the packet is dropped. However, if the countdoes not exceed the rate limit, then flow moves to block 640 where thepacket is directed to the control card for further processing.

Thus in some embodiments, the line cards perform multiple hierarchicallevels of control packet rate limiting. However, it should be understoodthat in some embodiments one or more of the levels of control packetrate limiting are omitted. For example, in the case where the line cardsinclude multiple network processing units and a central line processor,in one embodiment the rate limiting is applied only at the networkprocessing unit (thus, in such an embodiment the network processingunits do not perform control packet rate limiting). As another example,in some embodiments the protocol based rate limiting is omitted.

In some embodiments, in addition to identifier key based rate limitingand protocol based rate limiting, the control packets are rate limitedbased on the number of events per second. By way of example, an event isthe receipt of a control packet, regardless of protocol, on the linecard. For example, prior to the identifier key based rate limiting, uponreceipt of a control packet, the line card determines whether thecontrol packet passes the event per second rate limiting. If the packetpasses the event per second rate limiting, the identifier key based ratelimiting is then performed. If the packet does not pass the event persecond rate limiting, the line card will drop the packet. In oneembodiment, the events per second rate limiting is specific to circuits(that is, the events per second rate limiting is applied separately foreach different circuit).

Although embodiments have been described with respect to control packetrate limiting based on key identifiers and based on protocol type, inother embodiments the control packets may further be limited atdifferent granularities (e.g., per port, per VLAN/ATM-PVC, persubscriber, etc.). In addition, in some embodiments, instead of ratelimiting the control packets based on key identifiers in the packet andbased on protocol type of the control packets, the control packets arelimited at different granularities (e.g., per port, per VLAN/ATM-PVC,per subscriber, etc.).

Although embodiments have been described with respect to rate limitingcontrol packets based on a class of identifier keys (e.g., treating thecontrol packets with unique identifier keys of the same protocol equallyby having the same identifier key rate limit value), in some embodimentsthe identifier key rate limit value can be specific to individualidentifier keys. Additionally, in some embodiments the identifier keyrate limit values are dynamic and can change for individual identifierkeys depending on history of control packets received (e.g., responsiveto detecting an abnormally high amount of control packets for thatidentifier key (and thus a possible denial of service attack), the ratelimit value for that identifier key can be lowered).

While the flow diagrams in the figures show a particular order ofoperations performed by certain embodiments of the invention, it shouldbe understood that such order is exemplary (e.g., alternativeembodiments may perform the operations in a different order, combinecertain operations, overlap certain operations, etc.)

While the invention has been described in terms of several embodiments,those skilled in the art will recognize that the invention is notlimited to the embodiments described, can be practiced with modificationand alteration within the spirit and scope of the appended claims. Thedescription is thus to be regarded as illustrative instead of limiting.

1. A method for rate limiting control packets performed on a line cardof a network element, comprising: receiving a plurality of controlpackets at the line card; for each received control packet, performingthe following: determining a protocol type of that control packet,extracting a set of one or more identifier keys in that control packetbased on the determined protocol type of that control packet, performingan identifier key based rate limiting on that control packet based onthe set of extracted identifier keys and the determined protocol type ofthat control packet; dropping those of the received control packets thatdo not pass the identifier key based rate limiting; and for each ofthose of the received control packets that pass the identifier key basedrate limiting, performing a protocol level rate limiting based on thedetermined protocol type of that packet.
 2. The method of claim 1,wherein for those control packets that are determined to be PPPoE (pointto point protocol over Ethernet) control packets, further determiningwhether the PPPoE control packet is a PPPoE Active Discovery Request(PADR) or a PPPoE Active Discovery Initiate (PADI) control packet,wherein the identifier key based rate limiting is performed separatelyfor PADR control packets and PADI control packets.
 3. The method ofclaim 1, wherein at least some of the control packets are DHCP (DynamicHost Configuration Protocol) packets and the set of identifier keys foreach of those control packets includes one or more of a source MAC(Media Access Control) address, a source IP (Internet Protocol)address., a VLAN (Virtual Local Area Network) identifier, an ATM(Asynchronous Transfer Mode) PVC (Permanent Virtual Circuit) identifier,a GIADDR (Gateway IP Address), and a port identifier.
 4. The method ofclaim 1, wherein at least some of the control packets are ARP (AddressResolution Protocol) control packets and the set of identifier keys foreach of those control packets includes a source MAC (Media AccessControl) address.
 5. The method of claim 1, wherein the identifier keybased rate limiting includes the following for each control packet:retrieving an identifier key rate limit counter associated with the setof identifier keys extracted from the control packet; retrieving anidentifier key rate limit threshold value associated with the determinedprotocol type of the control packet; comparing the retrieved rate limitcounter with the rate limit threshold, wherein the control packet passesthe identifier key based rate limiting if the rate limit threshold isnot exceeded and fails the identifier key based rate limiting if therate limit threshold is exceeded.
 6. The method of claim 5, furthercomprising: wherein the protocol level rate limiting based on thedetermined protocol type includes the following for each control packetthat passed the identifier key based rate limiting: retrieving aprotocol level rate limit counter associated with the determinedprotocol type of the control packet, retrieving a protocol level ratelimit threshold value associated with the determined protocol type ofthe control packet, and comparing the retrieved protocol level ratelimit counter with the protocol level rate limit threshold; and droppingthose control packets whose rate limit counter exceeds the correspondingprotocol level rate limit threshold.
 7. The method of claim 1, furthercomprising: wherein the line card includes a plurality of networkingprocessing units (NPU) coupled with different ones of a plurality ofports of the line card, wherein different ones of the plurality ofcontrol packets are received at different ones of the plurality of NPUs,wherein each of the NPUs performs an identifier key based control packetrate limiting and a protocol based control packet rate limiting, whereinfor each of the received control packets that pass the control packetlevel rate limiting, performing the following: sending that controlpacket to a central line processor on the line card along with the setof identifier keys, a protocol identifier, a identifier key packet countvalue, and a protocol packet count value associated with that controlpacket; aggregating the identifier key packet count values for thosecontrol packets having a same set of identifier keys and protocolidentifier; aggregating the protocol packet count values for thosecontrol packets having a same protocol identifier; for each packetcontrol packet received on the central line processor, performing thefollowing: retrieving the aggregate identifier key packet count valuecorresponding with the control packet; retrieving an identifier key ratelimit threshold value associated with the control packet based on theprotocol identifier and the set of identifier keys associated with thecontrol packet; performing an aggregate identifier key based ratelimiting by comparing the aggregate identifier key packet count valuecorresponding with the control packet with the identifier key rate limitthreshold value associated with the control packet, wherein the controlpacket passes the aggregate identifier key based rate limiting if theidentifier key rate limit threshold value is not exceeded, and whereinthe control packet fails the aggregate identifier key based ratelimiting if the identifier key rate limit threshold value is exceeded;and dropping those control packets that fail the aggregate identifierkey based rate limiting.
 8. The method of claim 7, further comprising:for each of the control packets that pass the aggregate identifier keybased rate limiting, performing the following: retrieving the aggregateprotocol packet count value corresponding with the control packet,retrieving a protocol rate limit threshold value for the control packetbased on the protocol identifier associated with the control packet,performing an aggregate protocol based rate limiting by comparing theaggregate protocol packet count value corresponding with the controlpacket with the protocol rate limit threshold value for the controlpacket, wherein the control packet passes the aggregate protocol basedrate limiting if the protocol rate limit threshold value is not exceededby the aggregate protocol packet count value, and wherein the controlpacket fails the aggregate protocol based rate limiting if the protocolrate limit threshold value is exceeded by the aggregate protocol packetcount value; dropping those control packets that fail the aggregateprotocol based rate limiting; and directing those control packets thatpass the aggregate protocol based rate limiting to the control card. 9.A line card for rate limiting control packets, comprising: a packetparsing engine to parse control packets to determine protocol types ofthe control packets and extract a set of one or more identifier keys ineach control packet based on the determined protocol type of the controlpackets; a plurality of first execution units each to each perform afirst level of control packet rate limiting on the control packets perunique ones of the set of identifier keys and protocol type according toa number of control packets of each unique protocol type and set ofidentifier keys that are accepted for processing over a first timeinterval, wherein each of the first execution units is to drop thosecontrol packets that fail the first level of control packet ratelimiting; and a set of one or more second execution units to perform asecond level of control packet rate limiting on those control packetsthat pass the first level of control packet rate limiting per protocoltype according to a number of control packets of each unique protocoltype that are accepted for processing over a second time interval,wherein each of the set of second execution units is to drop thosecontrol packets that fail the second level of control packet ratelimiting.
 10. The line card of claim 9, further comprising: a memory tostore rate limit values and packet count values, wherein the rate limitvalues include identifier key rate limit values and protocol level ratelimit values, wherein the packet count values include the following: foreach unique set of identifier keys per protocol type, a packet countvalue that indicates the number of packets accepted for processing overthe first interval associated having that set of identifier keys andprotocol type, and for each protocol type, a packet count value thatindicates the number of packets accepted for processing having thatprotocol type.
 11. The line card of claim 9, wherein each of the set ofsecond execution units further is to send those control packets thatpass the second level of control packet rate limiting to a control cardcoupled with the line card.
 12. The line card of claim 9, wherein theplurality of execution units is to perform the first level of controlpacket rate limiting for those packets which are PADR (PPPoE ActiveDiscovery Request) packets and PADI (PPPoE Active Discovery Initiate)packets separately, wherein the set of identifier keys used in the firstlevel of control packet rate limiting for PADR packets and PADI packetsincludes one or more of a source MAC address, a VLAN (Virtual Local AreaNetwork) identifier, and a port identifier.
 13. The line card of claim9, wherein the control packets include DHCP (Dynamic Host ConfigurationProtocol) control packets, and wherein the set of identifier keys usedfor each of the DHCP control packets includes one or more of a sourceMAC address included in that DCHP control packet, a source IP (InternetProtocol) address in that DHCP control packet, a VLAN (Virtual LocalArea Network) identifier in that DHCP control packet, an ATM(Asynchronous Transfer Mode) PVC (Permanent Virtual Circuit) identifierin that DHCP control packet, a GIADDR (Gateway IP Address) in that DHCPcontrol packet, and a port identifier on which the DHCP control packetis received on.
 14. A network element to perform hierarchical controlpacket rate limiting, comprising: a control card including, a set of oneor more protocol modules to process control packets received from aplurality of line cards; and the plurality of line cards coupled withthe control card, each line card including, a packet parsing engine toreceive and parse control packets and write packet data into a buffermemory of the line card, the packet data including a set of one or moreidentifier keys associated with each of the control packets, anidentifier key based rate limiter module to perform identifier key ratebased limiting on the control packets per the set of identifier keys ofthose control packets, wherein the identifier key based rate limitermodule is to perform the following for each control packet, compare anidentifier key packet count value associated with the set of identifierkeys for that packet with a identifier key rate limit value associatedwith that set of identifier keys, wherein the identifier key packetcount value represents a number of control packets accepted forprocessing in a first time interval having that set of identifier keys,drop the control packet if the identifier key packet count value exceedsthe identifier key rate limit value for that first time interval; aprotocol based rate limiter module to perform protocol based ratelimiting on those control packets whose associated identifier key packetcount value does not exceed their associated identifier key rate limitvalue, wherein the protocol based rate limiter module is to perform thefollowing for each of those control packets: compare a protocol packetcount value associated with a protocol type of the control packet with aprotocol rate limit value associated with that protocol type, whereinthe protocol packet count value represents a number of control packetsaccepted for processing in a second time interval having that protocoltype, drop the control packet if the protocol packet count value exceedsthe protocol rate limit value for that second time interval, and sendthe control packet to the control card if the protocol packet countvalue does not exceed the protocol rate limit value for that given timeperiod.
 15. The network element of claim 14, wherein the control cardfurther includes a command line interface module to receive theidentifier key rate limit value and the protocol rate limit value from asystem operator of the network element, and further receive an amount oftime for the first time interval and an amount of time for the secondtime interval.
 16. The network element of claim 14, wherein theidentifier key based rate limiter module is to perform the identifierkey rate based limiting for those packets which are PADR (PPPoE ActiveDiscovery Request) packets and PADI (PPPoE Active Discovery Initiate)packets separately, wherein the set of identifier keys used in theidentifier key based rate limiting for PADR packets and PADI packetsincludes one or more of a source MAC address, a VLAN (Virtual Local AreaNetwork) identifier, and a port identifier.
 17. The network element ofclaim 14, wherein the control packets include DHCP (Dynamic HostConfiguration Protocol) control packets, and wherein the set ofidentifier keys used for each of the DHCP control packets includes oneor more of a source MAC address included in that DCHP control packet, asource IP (Internet Protocol) address in that DHCP control packet, aVLAN (Virtual Local Area Network) identifier in that DHCP controlpacket, an ATM (Asynchronous Transfer Mode) PVC (Permanent VirtualCircuit) identifier in that DHCP control packet, a GIADDR (Gateway IPAddress) in that DHCP control packet, and a port identifier on which theDHCP control packet is received on.
 18. A line card for rate limitingcontrol packets, comprising: a plurality of network processing units(NPUs), each NPU having a separate memory domain, wherein each NPU iscoupled with one or more ports of the line card, and each NPU includesthe following: a packet parsing engine to parse control packets todetermine a protocol type of each control packet and extract a set ofone or more identifier keys from each control packet based on thedetermined protocol type of that control packet, a plurality of firstlevel execution units to perform an identifier key based rate limitingfor each unique set of extracted identifier keys per protocol type,wherein each of the first level execution units is to drop those controlpackets which do not pass the identifier key based rate limiting, a setof one or more second level execution units coupled with the pluralityof first level execution units, the set of second level execution unitsto perform the following: a protocol based rate limiting for each ofthose control packets that pass the identifier key based rate limitingfor each protocol type, drop those control packets which do not pass theprotocol based rate limiting, and send each of those control packetswhich pass the protocol based rate limiting to a central line processorof the line card; the central line processor coupled with the pluralityof NPUs, the central line processor to perform the following: aggregatethose control packets received from the plurality of NPUs that have asame set of identifier keys, aggregate those control packets receivedfrom the plurality of NPUs that have a same protocol type, perform anaggregate identifier key based rate limiting on the control packetsreceived from the plurality of NPUs for each unique set of identifierkeys per protocol type, drop those control packets that fail theaggregate identifier key based rate limiting, perform an aggregateprotocol based rate limiting for each of those control packets that passthe aggregate identifier key based rate limiting for each uniqueprotocol type, drop those control packets that fail the aggregateprotocol based rate limiting, and send those packets that pass theaggregate protocol based rate limiting to a control card coupled withthe line card.
 19. The line card of claim 18, wherein the controlpackets include PADR (PPPoE Active Discovery Request) packets and PADI(PPPoE Active Discovery Initiate) packets, and wherein the PADR packetsand PADI packets are rate limited separately.
 20. The line card of claim18, wherein the control packets includes DHCP (Dynamic HostConfiguration Protocol) control packets, and wherein the set ofidentifier keys used for each of the DHCP control packets includes asource MAC address included in that DCHP control packet, a source IP(Internet Protocol) address in that DHCP control packet, a VLAN (VirtualLocal Area Network) identifier in that DHCP control packet, an ATM(Asynchronous Transfer Mode) PVC (Permanent Virtual Circuit) identifierin that DHCP control packet, a GIADDR (Gateway IP Address) in that DHCPcontrol packet, and a port identifier on which the DHCP control packetis received on.